Horizon exposes internal IP addresses via keystone/svc-catalog API
Bug #1798832 reported by
Oleksiy Petrenko
This bug affects 1 person
Affects | Status | Importance | Assigned to | Milestone | |
---|---|---|---|---|---|
OpenStack Dashboard (Horizon) |
Fix Released
|
Undecided
|
Oleksiy Petrenko |
Bug Description
Example url: https://<horizon>
Different application responses contain resource links which disclose internal IP addresses. Threat actors could learn valuable information and plan further attacks on disclosed systems. Horizon should avoid including internal IP addresses in application responses
Changed in horizon: | |
assignee: | nobody → Oleksiy Petrenko (enacero) |
status: | New → In Progress |
To post a comment you must log in.
Reviewed: https:/ /review. openstack. org/611819 /git.openstack. org/cgit/ openstack/ horizon/ commit/ ?id=31718cd1afe 9bf115dbe09b0d2 32a5d9ae13ae61
Committed: https:/
Submitter: Zuul
Branch: master
commit 31718cd1afe9bf1 15dbe09b0d232a5 d9ae13ae61
Author: Alex Petrenko <email address hidden>
Date: Fri Oct 19 12:10:38 2018 +0300
Refactor app response for api request '/api/keystone/ svc-catalog'
Add filtration for service catalog. Now all endpoints that are not
public will not be seen.
Change-Id: I6db214f849d13c 4c71e176f00113e 889ff2d2997
Closes-Bug: #1798832